A recent discovery by cybersecurity experts reveals a dangerous new trend in cyber attacks — the use of a legitimate but outdated Avast Anti-Rootkit driver to bypass security measures and take control of targeted systems. This campaign, identified by researchers at Trellix, focuses on a variant of malware known as AV Killer, unlinked to any specific virus family, indicating a sophisticated approach by cybercriminals to evade detection.
The malware associated with this attack, known as kill-floor.exe, deploys the vulnerable driver, named ntfs.bin, into a standard Windows user folder. By utilizing a method referred to as ‘bring-your-own-vulnerable-driver’ (BYOVD), it exploits the driver’s kernel-level capabilities, granting the malicious software substantial access to critical operating system functions. This access allows the malware to identify and terminate a wide array of security processes.
The alarming aspect of this malware is its hardcoded list of 142 specific security processes from various well-known vendors, which it uses to identify targets on a compromised system. According to Trellix researcher Trishaan Kalra, when the malware recognizes a match within the active processes, it “creates a handle to reference the installed Avast driver,” enabling it to issue commands to disable security measures through the ‘DeviceIoControl’ API.
The potential victims are primarily solutions from leading cybersecurity vendors including McAfee, Symantec (Broadcom), Sophos, Avast, Trend Micro, Microsoft Defender, SentinelOne, ESET, and BlackBerry. With the targeted defenses disarmed, the malware can carry out its malicious objectives in stealth mode, effectively avoiding user alerts or detection by security systems.
Notably, similar tactics utilizing the Avast Anti-Rootkit driver were observed as early as 2022, when researchers investigated the AvosLocker ransomware attacks. Further back, in December 2021, the Incident Response Services team from Stroz Friedberg uncovered that Cuba ransomware also relied on this same abuse of the Avast driver to neutralize security solutions on targeted systems. Around the same time, SentinelLabs revealed the existence of two critical vulnerabilities (CVE-2022-26522 and CVE-2022-26523) that had lingered since 2016, both capable of being exploited to elevate privileges and disable security products. Despite being reported to Avast in late 2021, fixes for these issues were implemented quietly via security updates.
To mitigate the risks of similar attacks that leverage such vulnerable drivers, cybersecurity experts advise employing rules that can detect and prevent unauthorized components based on their unique signatures or hashes. Solutions like the vulnerable driver blocklist policy file, provided by Microsoft, can also be instrumental in thwarting these types of attacks. This blocklist is routinely updated with each major Windows release, and since the rollout of Windows 11 in 2022, it has been automatically activated on all devices, providing an additional layer of security.
As cyber threats evolve, users are urged to remain vigilant and utilize effective security measures to protect against increasingly sophisticated tactics employed by cybercriminals. This alarming development in the world of hacking serves as a crucial reminder of the need for continuous improvements in cybersecurity protocols and solutions.